You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/08/11 15:27:02 UTC

[GitHub] [pulsar] hpvd opened a new issue, #17069: Automatic Scan for CWEs (additional to CVEs)

hpvd opened a new issue, #17069:
URL: https://github.com/apache/pulsar/issues/17069

   ### Search before asking
   
   - [X] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar.
   
   
   ### Motivation
   
   Since https://github.com/apache/pulsar/pull/10855 we are doing dependency scans for vulnerabilities (CVEs =Common Vulnerabilities and Exposures) on regular basis. That's really great!
   
   Like always there is more one can do. We could also scan for C**W**Es...
   
   
   
   
   
   
   ### Solution
   
   Github allows for open source projects like pulsar, the free usage of CodeQL.
   This tool tries to spot the C**W**Es (CommonWeaknesses) in Software written in different languages (and Hardware), see https://cwe.mitre.org/
   
   > If you haven’t heard of [CodeQL](https://codeql.github.com/), it’s GitHub’s static code analysis engine that treats code like data and makes it queryable. Then, using a growing library of open source queries corresponding to known security vulnerability patterns, CodeQL scans your code to identify any potential issues.
   
   The usage seems to be the same as the CVE Scanner we use, simply be github action and uploading an report in the end
   For setup see: https://github.com/github/codeql-action
   
   Would be really interesting to give it a test run on a small component of pulsar and see if it can catch anything valuable without too many false positives.
   
   ### Alternatives
   
   _No response_
   
   ### Anything else?
   
   _No response_
   
   ### Are you willing to submit a PR?
   
   - [ ] I'm willing to submit a PR!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] github-actions[bot] commented on issue #17069: Automatic Scan for CWEs (additional to CVEs scans)

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on issue #17069:
URL: https://github.com/apache/pulsar/issues/17069#issuecomment-1242849515

   The issue had no activity for 30 days, mark with Stale label.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org